How Privacy Laws Really Work

It’s been a year since GDPR was introduced, and yet seemingly very little has happened apart from snake-oil selling consultants making lots of money providing conflicting advice making marketers very nervous.

That advice caused us all to receive a barrage of emails from companies we hadn’t heard from in years telling us how important our privacy was to them!

I recently had the opportunity to sit down with privacy law expert Axel Tandberg of PrivacyWorks to find out the truth.

As someone that has worked in the field of privacy law since before the turn of the millennium, long before GDPR was even conceived, can you give us an overview of why GDPR was introduced?

Axel: Well GDPR is an interesting little beast concerning how we process data. It replaces old legislation that was drafted in the 90’s before we had Wi-Fi and smartphones, and companies had easy ways to collect lots of data about us.

 

We now have access to databases and organisations routinely collect data about people and while many organisations had privacy policies before the introduction of GDPR, they were often tweaked for the own advantage.

This meant that as a consumer, you had no idea what data organisations had collect about you, where it was, who was using it and what they were using it for.

The EU decided this wasn’t acceptable and introduced GDPR to protect people and their data.

The big change is that an individual now owns their own data, and as organisations we can now only borrow data – and borrowing without asking is theft.

If you want to borrow something from somebody you have to tell them what you are borrowing it for – for instance if I borrow your lawnmower you might not be very pleased If you found me cutting the hedge if I didn’t tell you that I had a revolutionary idea for cutting a hedge and could I borrow your lawnmower as I don’t have one that will work in this way.

It’s ironic you use that example, I’ve been out cutting our hedges recently and could do with an innovation like that!

Now, a year ago we all got bombarded by emails asking for consent for organisations to keep sending us marketing emails and websites started putting intrusive pop-up notices about cookies on their sites. But has anything really changed?

Are the authorities really doing anything?

Axel: Well you might not have seen much change yet, but the data protection authorities are starting to show their teeth and are starting to implement their rules and issue fines.

 

Perhaps the most high-profile example so far has been a case against Marriott International, but there are lots of others in process.

What was interesting in the Marriott case is that it shows that you might have done enough, but if you do not do your due diligence whilst acquiring another company you might get fined. The issues stem from Marriott acquiring the Starwood hotel group, a group that have had problems with their customer database since 2014.

 

The issues were discovered in November 2018 when a security breach lead to that a variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million were related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents, which led to that the ICO fined Marriot £99,200,396.

Wow that is a huge fine! But are the authorities only going after the big organisations, or do smaller companies also need to be concerned?

Axel: We all need to be careful with people’s data, and there are also lots of lesser fines. For example there was one fine to a German company that asked the data protection authority do I need to write a data processing agreement with a Spanish sub-processor. They then decided they couldn’t be bothered to translate it from German to Spanish and were subsequently fined.

 

For those that are worried they need to translate everything into every European language, fear not. If you have an English language website then you need an English language privacy policy, but if you translate it into French, then you also need to translate the privacy policy and cookie controls into French too.

Before we go too much further, could you explain the fundamental rights that individuals have been given under GDPR please?

Axel: Well there are eight fundamental rights that GDPR provides: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, rights in relation to automated decision making and profiling.

 

All the above support the fundamental principle to the fact that an individual owns their own data. As a company you are accountable for making sure the data is handled and processed as agreed with the data owner. That means keeping the data up to date, only storing it for as long as necessary, ensuring confidentiality is upheld and that you can prove you have consent or a legitimate business reason to use it.

What’s more only relevant people within the organisation have access to that data and that nobody outside the organisation can get hold of the data.

That is why British Airways recently received a record fine of £183 million for the website hack of June 2018 that enabled personal details from around 500,000 customers to be harvested.

I saw that case, and interestingly I could have had my data stolen in both the BA and Marriott hacks. I understand the Information Commissioner Elizabeth Denham recently stated that “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

So who exactly does GDPR apply to?

Axel:  GDPR only applies to the processing of any data being processed within the European Union. So this could be data from a Chinese person, collected by an American company but processed in a European Union member state.

I know many of my colleagues and clients in marketing have received lots of conflicting advice on the impact of the legislation. We all got bombarded with emails asking us to provide consent to receive emails and started seeing pop-ups on websites expressly asking for permission to collect certain types of data. 

Axel: GDPR only applies to the processing of the data, it doesn’t apply to sending of marketing messages. These are regulated by marketing legislation that is dictated by an EU regulation.

 

You need consent to send a private person a marketing email, this could be unambiguous consent as part of a broader set of terms and conditions before GDPR. According to GDPR, consent has to be specified and separate from anything else. If you are gathering information when buying a product for example, you must separately provide consent to receive marketing messages and this has to be given as a positive action – such as purposefully selecting a tick box.

We should remember that this is different if you are sending an email to a B2B customer or prospect. And this comes down to an interpretation by France, UK and Sweden that if you send an email to somebody that is receiving it as a representative of an organisation it is ok to send it without consent as long as it is relevant to the purpose of their role.

So as I’m a lawyer you would be perfectly in your rights to send me marketing emails about legal matters, but if you send me emails about dentistry that would be in breach of the regulations.

 

And why do I say that? Well my surname is Tandberg, which translates to “tooth mountain” and I have received lots of emails marketing drills and filling materials to me!

 

If you are contacting people in Denmark, for example then you have to have explicit consent to send both B2C and B2B emails.

And then you have the cookie – well with cookies how do you get consent from the website. You have to explain how you are going to use cookies and what they are for. The UK’s ICO has provided some excellent information about cookies and how to remove them.

You make it all sound so simple! And thank you for that tip, the link to the ICO web resource can be found here. 

Now quite a few organisations I know of have collected historical lists of email addresses that due to the nature of the systems may not have a traceable consent.

Axel: The barrage of emails came from a misunderstanding of what GDPR really is – and that was that you have to have consent to use any data. There are six legal rights and consent should be the last one you use.

 

For marketing the “legitimate interest” principle is the strongest and this is hard because it is a balancing act between the company’s interest and the person’s interest.  If you have informed the recipient, you don’t need to have to ask for consent again.

One mistake people make is that on top of the affirmative consent they provide when signing up to an email newsletter on a website, they also add a tick box. Rather than the tick box, you just need to say that “by providing your email in the box above you agree to receive marketing messages from us”.

But coming back to your question, if they have been engaging with your B2B emails and they are to business email accounts then you can continue sending emails to them under the legitimate interest principle.

If they are personal email addresses, then I would expunge them from the database as you have to be able to show the person the date they provided consent. In addition, I would remove all those people that have never opened email. Those that have opened emails, I would recommend sending them an email asking for consent to continue sending them new emails as the organisation is updating its database. If they don’t respond, then remove them from the list.

Excellent, thank you for that. If someone is concerned about complying with the legislation who should they speak to?

Axel: Well I would recommend they speak to a legal expert that has at least four years’ experience in privacy and data protection law. To be able to apply the law you really need to understand the history of the legislation.

You can always go to the local direct marketing association for information, but if you want to keep your queries quiet then you could speak to a legal professional like me that has been working in the data protection field related to marketing and health since 2000.

What is the best way for them to contact you?

Axel: Well the best way to contact me is by sending me an email at axel.tandberg@legalworks.se – and you have my consent to send me an email as long as its related to data privacy.

 

No dentistry-related emails please!